The notorious Russian-linked threat group Turla has been spotted using a novel backdoor dubbed TinyTurla-NG in a targeted campaign against Polish non-governmental organizations (NGOs) in December 2023. This backdoor, akin to its predecessor TinyTurla, serves as a last-resort access point left behind when other unauthorized access methods fail or get detected. Turla, known by various aliases, is associated with the Russian Federal Security Service (FSB) and has a history of sophisticated cyber operations targeting sectors across Europe and beyond.
TinyTurla-NG’s resemblance to its predecessor suggests a continuity in Turla’s tactics, indicating a persistent and evolving threat landscape. The campaign, which ran from December 2023 to January 2024, showcases Turla’s ongoing efforts to enhance its capabilities and target specific sectors and regions strategically. The use of compromised WordPress websites as command-and-control endpoints underscores the group’s adaptability and sophistication in evading detection and executing its malicious activities.
This targeted campaign underscores the high level of compartmentalization and precision employed by Turla, with only a select number of organizations, primarily in Poland, being affected. Despite ongoing efforts to track and mitigate Turla’s activities, the group’s advanced techniques and state affiliation pose significant challenges for cybersecurity researchers and defenders. As nation-state actors like those associated with Turla continue to leverage advanced tools and tactics, vigilance and collaboration among cybersecurity professionals remain crucial in mitigating the impact of such sophisticated threats.
